nanogui@linuxhacker.org
nanogui@linuxhacker.org
On Wed, 13 Dec 2000, Alan Cox wrote:
> If the network is secure then any old plaintext is fine. If the network is
> not secure then you need full crypto or its only washing over the problem
> not fixing it.
How about a challenge-response mechanism using HMAC? rfc2104.html talks
about a cracker needing to acquire roughly 2**64 responses to a known
plaintext to be able to deduce the secret key (2**80 if SHA1 is used
instead of MD5). Would I be right in thinking that they mean that with a
challenge response mechanism which uses this method to generate the hash
and random keys of a sufficient length, the secret is basically
uncrackable within a reasonable timescale? It isn't actually encryption,
just a keyed hash, but that doesn't matter because we don't need to
decrypt the data which was hashed (just check that we get back the same
hash that we generated locally). It does require both the client and the
server to have a copy of the same plaintext private key though.
I'm not trying to implement encryption of the session itself (that could
be done via ssh if you need it and are prepared to pay the code size and
performance penalties); just to prevent a cracker from being able to snoop
the password and then use the remote access capability to gain control of
the machine.
--
------- Alex Holden -------
http://www.linuxhacker.org/
http://www.robogeeks.org/
nanogui@linuxhacker.org